We don't want the NSA tracking us, because we get nothing in return. It tries to sell us on "terrorism prevention," but most people don't experience that benefit in a visceral way. But this is not to say Americans won't give up privacy for anything.

On the contrary, Americans are very, very cheap dates. For just a modicum of convenience, entertainment and comfort, I'm happy to give you a list of everyone I call and everywhere I go. That's more than I'm sure the NSA has on me. And despite your privacy concerns, most of you are exactly the same way.

18 Responses:

If the NSA were smart, it would buy Candy Crush Saga, change the permissions, and be done with it.

Is there an equivalent of the Data Protection Act in the US? Here, I can make a 'subject access request' to an organisation, AKA 'give me a copy of all the data you have on me'. Equivalent laws exist in most of the EU.

As ever, "National Security" trumps all the human rights stuff, but it would be difficult for an app company to claim that.. without coming out about being GCHQ / the NSA etc.

I would assume that a company owned by GCHQ/NSA would be authorized in the name of national security to simply lie about what data they have. They wouldn't have to tell you "I can't tell you because national security"; they could just say "we don't store that data" with their fingers crossed behind their back.

Isn't the difference that FOIA only applies to the Federal government (with similar acts applying to most but not all state governments), but covers all information (with exceptions for national security, vendors' trade secrets, etc.) while the Data Protection Act covers only information about the person making the request, but applies to all organizations including corporations and all levels of government?

Private entities are under little legal requirement to divulge data they collect on people, with the exceptions being when that data is used for making certain decisions like financial situations. Most states have state level FOIA laws.

That said, if FIOA laws cover more data than DPA laws, then FOIA laws are perfectly suitable for the purpose of DPA equivalence.

The DPA is an implementation of Europe's Data Protection Directive and FOIA isn't really anything like it. Indeed if not for a specific "safe harbour" provision argued for by the US most American corporations which operate in the EU would be obliged to handle all EU customer data only from their EU subsidiary inside EU territory. The goal of the Directive is that people should be able to ensure that organised data relating to them is accurate and up-to-date, and held only for some specific purpose that they agreed to when it was collected. It has broad exemptions for law enforcement and certain government functions which undoubtedly protects GCHQ and the many other European spooks.

However, the DPA (and most similar implementations in other EU countries) is essentially toothless. Chances are that even if say, Disney was deliberately and flagrantly violating the spirit and letter of the DPA, nothing of consequence would happen to them. So certainly an intelligence front would feel no compulsion to obey this law even before considering that they can claim immunity.

The only rational way you could truly enforce the DPA at all would be surprise audits, following up a seemingly ordinary request with a blitz of database experts, clerks, and ex-police to go through every Excel spreadsheet, Postgres install and filing cabinet in a business verifying that the response was complete and accurate. There is no funding for such an activity, no legal precedent to permit it, and no sign that the present agency leadership desire to undertake such an audit. So as I said, in practice it's toothless. Nevertheless, companies which see it as important for political or other reasons to appear to obey the law do endeavour to implement the Act. One of the first signs you'll see in an EU company that it takes this regulation seriously is that CS agents are trained never to write anything in a customer's notes that they wouldn't want the customer to see, because of course those notes are subject to the DPA.

FOIA lets you ask e.g. "How many squirrels did the department of squirrel-wrangling wrangle in Wisconsin during 2012?" And you can ask such questions of the government or (some of) its agencies and other public bodies. What do they know? helps people do this in the UK and shares all the results.

DPA lets you ask e.g. "What do you know about me?" but not any questions about other people, or for example about squirrels, or Wisconsin. And you can ask this question of any business, charity, etc. though not individual people.

The DPA also lets you demand e.g. "You keep telling people I live at 154 Oxford Road, but I don't, so stop doing that" or "You told me you would only use my email address to send me receipts for transactions, but now it's getting spammed. Stop that too".

He meant that pre-Snowden he had an expectation of privacy. Ie, all the way up to 1 BSE (Before Snowden Era), the vast majority of people still had an expectation of privacy. There were a lot of precursors of government intrusion, but little public awareness. After Snowden, public awareness changed fast, within months. Even in early 1 AS, that illusion was gone. Not that it mattered; as we will see, laws didn't change.

This is a great example of an ancient American's changing worldview. It's fascinating now, but must have been horrible to experience. Just like with the Occupy movement we talked about yesterday, they found out in stark terms that their government barely cared about them.

Improve it for who? It is far far easier for them to use the data to improve their conversion rates on gift shop crap and overpriced bad food than it is to use it to improve their product.

Stuff like having people come over to entertain you while you're stuck in a queue costs money and will probably not make them much back in customer loyalty. They won't do that. (Anyway, they already have much the same data from room keys for people staying on-property.) What they will do is track movement, imply mental state, and redesign infrastructure to make sure that at the moment the model says that you're most susceptible, you will be in front of a gift shop or a turkey leg stand.

This is fundamentally different from the NSA version of control through data though: if the NSA is 1984, Disney is more like Brave New World. One keeps you in line through fear of consequences, the other makes the line a really comfortable place to be (and then exploits you while you're on it).

I've been avoiding replying for a few days but I think I can cut my feeling down to:

The strangely optimistic part of me hopes that with perfect knowledge may come the realization of how much of this bullshit isn't profitable and just amounts to corporate shuffling-of-food-around-on-the-plate. At which point maybe they can stop being creepy and get it out of my face.

For instance, if you know that the rich kids are getting special treatment and you can't afford to get your kid the Princess Birthday Pass, maybe you take your little subprime-risk offspring to Six Flags over Hoboken, and enough people start writing blog posts noticing that Disney World is getting really creepy lately and attendance drops off until the company announces "Yeah, we thought that microprofiling thing was kind of creepy too" and goes back to just using visit-counters on the bathroom stall doors?

But then the realist in me realizes that a single 1% is worth more than a city of 99%ers before you tack on the support costs and chargebacks if one of the unwashed masses isn't satisfied or sues you for harassment-by-bidet. Which is why Manhattan exists and why everyone with any financial sense these days aspires to join the arts-and-crafts Linux-powered steampunk handbag industries. Working on an assembly line is for blue-collar fuckups, but it's respectable to be building a Bugatti for Mr. Burns (or at least being a barista for Bob in accounting beats putting up with the homeless at the McDonald's across the street).

Yeah, I'm pretty sure it's profitable. And with enough data you can tune for a specific level of creepiness.

And this isn't really a 1% vs 99% thing - I'd say the profit multiplier for a high-roller vs a regular shmuck in Disneyworld is maybe 10x, 20x at most. Staying in the Grand Floridian and eating at the "high-end" restaurants, you're paying more than the average, but not massively more.

The biggest consumer of the data, now that I think of it, will be DVC - Disney's timeshare business. That's probably the single biggest expense that people can incur in the parks, and it's recurring revenue. It usually takes some serious pressure to break people down before they'll sign up for a timeshare. Anything that helps them reduce the effort required to make the sale is well worth it.